ComplianceKit

Access Control Policy

Policy #2

Access Control Policy

Policy Number: CK-002

Version: 1.0

Effective Date: 6/12/2026

Review Cycle: Annual

1. Purpose

This Access Control Policy defines how Acme Corp manages, grants, reviews, and revokes access to information systems, applications, and data. Proper access control is fundamental to our SOC 2 compliance and security posture.

2. Scope

This policy covers all logical access to Acme Corp systems including AWS infrastructure, GitHub, Google Workspace, Slack, production databases, and any third-party SaaS applications containing company or customer data.

3. Policy Statement

Access to Acme Corp systems is granted on a need-to-know, least-privilege basis. Access must be formally requested, approved, provisioned, reviewed, and revoked following the procedures in this policy.

4. Access Provisioning

4.1 New Employee Onboarding

Upon hire, the People team initiates an access request listing required systems. The employee's manager approves access. IT provisions accounts within 1 business day of approval.

4.2 Role-Based Access

Access levels are defined by role:

  • Engineers: GitHub write access, AWS developer account, Slack
  • Admins: Full Google Workspace admin, AWS account management
  • Contractors: Scoped GitHub access only, no production system access by default

    • 4.3 Privileged Access

    Production AWS access requires MFA and is granted only to senior engineers with explicit CTO approval. All privileged sessions are logged via CloudTrail.

    5. Access Reviews

    Quarterly access reviews are conducted for all production systems. Managers certify that their team members' access remains appropriate. Orphaned accounts are identified and disabled within 48 hours.

    6. Access Revocation

    Upon employee termination or role change, IT must revoke access within 4 hours (same-day for involuntary terminations). Google Workspace account suspension triggers automatic cascade revocation across integrated apps.

    7. Shared & Service Accounts

    Service accounts in AWS use IAM roles, not long-lived access keys. Where API keys are necessary, they are stored in AWS Secrets Manager and rotated every 90 days. No shared credentials for human users.

    8. Compliance & Enforcement

    Unauthorized access attempts are logged and investigated. Personnel found sharing credentials or accessing systems beyond their authorization will face disciplinary action.

    *Reviewed and approved as part of SOC 2 Type I readiness program.*